Biometric National IDs and Passports: A False Sense of Security

People tend to think that digital copies of our biological features, stored in a government-run database, are problems of a dystopian future. But governments around the world are already using such technologies. Severalcountries are collecting massive amounts of biometric data for their national identity and passport schemes—a development that raises significant civil liberties and privacy concerns. Biometric identifiers are inherently sensitive data. As European privacy watchdogs have said, biometrics changes irrevocably the relationship between body and identity, because they make the characteristics of the human body "machine-readable" and subject to further use. This is why such identification schemes become particularly dangerous when used with unreliable biometric technologies that can misidentify individuals.

Regulators in several jurisdictions continue to romanticize the security and accuracy of face, fingerprint, and iris automatic recognition biometric technologies. But the existence of a significant amount of falsified biometric identification documents raisesquestions as to whether these technologies are toounreliable to prevent fraud, thus providing individuals and governments with a false sense of security.

Automatic Face Recognition in Border Control

Biometric data of individuals’ faces has been usedsince 2007 at various European border checks. Elevenairportsinthe UnitedKingdom now have e-passport gates that scan EU travelers’ faces and compare them tomeasurementsoftheirfacialfeatures (i.e. biometrics), stored on a chip in their biometric passports. Althougherror rates of state-of-the-art facial recognition technologies have been reduced over the past 20 years, these technologies still cannot identify individuals with complete accuracy. In an incidentin 2011, the Manchester e-passport gates let through a couple that had mixed up their passports. The UK Border Agency subsequently disabled the Manchester gates and launched an investigation.

Similare-passportgates have been introduced in Australia and New Zealand. During the early stages of testing in Australia, the technology showed a six to eight percent error rate. Moreover, this technology also misidentified two men who exchanged passports. Nevertheless, the government refused to disclose the final error rates, citing security concerns.

Digital Fingerprint Recognition

U.S. lawrequiresvisitorstosubmitbiometrics to a central database in the form of a digital fingerprint when seeking a visa or when entering the country.EUlaw further requires all passports for 26 countries in the Schengen area(the borderless zone within European countries) to contain digital fingerprint data on a chip.

The United Kingdom—a non-Schengen country—contemplated introducing fingerprints voluntarily as part of abiometricpassport 2.0, but ultimately decided against it. The UK government was preparing to launch abiometricnationalidentitycard, for which it gathered fingerprints from 15,000 volunteers for the project. But the new government“didn'tbelieveIDcardswouldwork" and physically destroyed the pilot identity databases. However, in 2010, the UK National Policing Improvement Agency also conducted apilottest to provide police officers with digital fingerprint scanners that could remotely match individuals’ fingerprints against a central database. The outcome of this project is unknown and, when questioned, the agencyrefused to disclose the error rates that resulted from its tests.

In the Netherlands, the database storage of digital fingerprinting for travel documentswas haltedfollowing questions over the reliability of the biometric technology. The Mayor of the City of Roermond reported that21 percent offingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections (cases in which there is a "no-hit” for a lawful holder of a travel document) is too high to warrant using fingerprints for verification and identification. Currently, only fingerprints onto Radio Frequency Identification (RFID) chips in ID documents are being collected.

AGermancourt recently asked the EU Court of Justice for a preliminary ruling on the legality of biometric passports with RFID chips, which are readable from a distance. The German court questioned whether the EUregulation that requires biometric passports in Europe is compatible with Charter of Fundamental Rights of the European Union and the European Convention of Human Rights.

InFrance, a report last year disclosed the questionable security of biometric passports. It showed that 10 percent of biometric passports were fraudulently obtained for illegal immigrants or people looking for a new identity. Following the issues with respect to biometric passports in the various EU countries, Members of the EuropeanParliament have queried the European Commission about the reliability of these biometric passports.

Iris Scan Identification

In preparation for the UK’s national ID card scheme, theUKgovernmentnoted that there was little research indicating the reliability of iris scan identification. The government initially relied upon unpublished and unverified results from an airport trial. There wereconcerns that “hard contact lenses,” “watery eyes and long eyelashes” could prevent accurate scanning. The government then asked theNationalPhysicalLaboratory (NPL) totest the technology. The NPL chief research scientiststatedinthenews that “technologies like iris scanning are accurate enough for the ID cards application but only provided they are implemented properly and one has appropriate fall-back processes to deal with exceptional cases." Butastudy has shown that it is difficult to enroll disabled individuals into an iris database. The success of enrollment also significantly varies depending on race and age, suggesting further errors if the technology were implemented. Additional testing of iris scanners has been initiated by theU.S. DepartmentofHomelandSecurity.

In summary, governments have failed to support their claim that such technologies actually improve security. These governments have not proved that the technology is reliable enough to prevent fraud. Of course, the reliability of the technology is only one aspect of the different problems around governments’ collection of biometrics, including privacy, security, profiling, discrimination, and other civil liberties.EFF will continue monitoring this issue.Stay tuned!

Related Updates

A new Illinois bill would strip residents of critical protection of their biometric privacy, including their right to decide whether or not a business may harvest and monetize data about their faces and fingerprints. Given the growingpublicoutrage over how Facebook and Cambridge Analytica handled...

In a disappointing and deeply divided opinion released today, the California Supreme Court upheld a state law law mandating DNA collection from arrestees. A lower court had held this law violated the privacy and search and seizure protections guaranteed under the California constitution. Today’s decision lets this flawed law...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program.
As we’ve written ...

San Francisco, California—Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) ...

EFF is taking the National Institute for Standards and Technology (NIST), FBI, and DHS to court to obtain records about a program to refine automated tattoo recognition technology.
Beginning in 2014, NIST, with support from the FBI and DHS, created a multi-part technology challenge that encouraged public universities and private...

Step onto any city street and you may find yourself subject to numerous forms of police surveillance—many imperceptible to the human eye.A cruiser equipped with automated license plate readers (also known as ALPRs) may have just logged where you parked your car. A cell-site simulator may be capturing your cell-phone...

San Francisco, California—The Electronic Frontier Foundation (EFF) and the ACLU won a decision by the California Supreme Court that the license plate data of millions of law-abiding drivers, collected indiscriminately by police across the state, are not “investigative records” that law enforcement can keep secret. California’s...